fix: disallow http imports for modules loaded over https (#5680)

2025-03-03 09:31:22 -05:00 · 2020-05-21 13:06:12 +02:00 · 2020-05-21 13:06:12 +02:00 · 5f9c1c7da6
commit 5f9c1c7da6
parent bebb8c029f
9 changed files with 57 additions and 4 deletions
--- a/cli/module_graph.rs
+++ b/cli/module_graph.rs
@ -274,6 +274,8 @@ impl ModuleGraphLoader {
    Ok(())
  }

+  // TODO(bartlomieju): decorate errors with import location in the source code
+  // https://github.com/denoland/deno/issues/5080
  fn download_module(
    &mut self,
    module_specifier: ModuleSpecifier,
@ -283,6 +285,18 @@ impl ModuleGraphLoader {
      return Ok(());
    }

+    // Disallow http:// imports from modules loaded over https://
+    if let Some(referrer) = maybe_referrer.as_ref() {
+      if let "https" = referrer.as_url().scheme() {
+        if let "http" = module_specifier.as_url().scheme() {
+          let e = OpError::permission_denied(
+            "Modules loaded over https:// are not allowed to import modules over http://".to_string()
+          );
+          return Err(e.into());
+        };
+      };
+    };
+
    if !self.is_dyn_import {
      // Verify that remote file doesn't try to statically import local file.
      if let Some(referrer) = maybe_referrer.as_ref() {
@ -293,7 +307,9 @@ impl ModuleGraphLoader {
            match specifier_url.scheme() {
              "http" | "https" => {}
              _ => {
-                let e = OpError::permission_denied("Remote module are not allowed to statically import local modules. Use dynamic import instead.".to_string());
+                let e = OpError::permission_denied(
+                  "Remote modules are not allowed to statically import local modules. Use dynamic import instead.".to_string()
+                );
                return Err(e.into());
              }
            }
--- a/cli/state.rs
+++ b/cli/state.rs
@ -279,6 +279,21 @@ impl ModuleLoader for State {
    is_dyn_import: bool,
  ) -> Pin<Box<deno_core::ModuleSourceFuture>> {
    let module_specifier = module_specifier.clone();
+
+    // TODO(bartlomieju): this code is duplicated from module_graph.
+    // It should be removed when `prepare_load` will be used to load modules.
+    // Disallow http:// imports from modules loaded over https://
+    if let Some(referrer) = maybe_referrer.as_ref() {
+      if let "https" = referrer.as_url().scheme() {
+        if let "http" = module_specifier.as_url().scheme() {
+          let e = OpError::permission_denied(
+            "Modules loaded over https:// are not allowed to import modules over http://".to_string()
+          );
+          return async move { Err(e.into()) }.boxed_local();
+        }
+      }
+    }
+
    if is_dyn_import {
      if let Err(e) = self.check_dyn_import(&module_specifier) {
        return async move { Err(e.into()) }.boxed_local();
@ -293,7 +308,9 @@ impl ModuleLoader for State {
            match specifier_url.scheme() {
              "http" | "https" => {}
              _ => {
-                let e = OpError::permission_denied("Remote module are not allowed to statically import local modules. Use dynamic import instead.".to_string());
+                let e = OpError::permission_denied(
+                  "Remote modules are not allowed to statically import local modules. Use dynamic import instead.".to_string()
+                );
                return async move { Err(e.into()) }.boxed_local();
              }
            }
--- a/cli/tests/disallow_http_from_https.js
+++ b/cli/tests/disallow_http_from_https.js
@ -0,0 +1,2 @@
+// Trying to import "http://", while this file is accessed by "https://"
+import "http://localhost:4545/cli/tests/001_hello.js";
--- a/cli/tests/disallow_http_from_https.ts
+++ b/cli/tests/disallow_http_from_https.ts
@ -0,0 +1,2 @@
+// Trying to import "http://", while this file is accessed by "https://"
+import "http://localhost:4545/cli/tests/001_hello.js";
--- a/cli/tests/disallow_http_from_https_js.out
+++ b/cli/tests/disallow_http_from_https_js.out
@ -0,0 +1 @@
+error: Modules loaded over https:// are not allowed to import modules over http://
--- a/cli/tests/disallow_http_from_https_ts.out
+++ b/cli/tests/disallow_http_from_https_ts.out
@ -0,0 +1 @@
+error: Modules loaded over https:// are not allowed to import modules over http://
--- a/cli/tests/error_local_static_import_from_remote.js.out
+++ b/cli/tests/error_local_static_import_from_remote.js.out
@ -1,2 +1,2 @@
 [WILDCARD]
-error: Remote module are not allowed to statically import local modules. Use dynamic import instead.
+error: Remote modules are not allowed to statically import local modules. Use dynamic import instead.
--- a/cli/tests/error_local_static_import_from_remote.ts.out
+++ b/cli/tests/error_local_static_import_from_remote.ts.out
@ -1,2 +1,2 @@
 [WILDCARD]
-error: Remote module are not allowed to statically import local modules. Use dynamic import instead.
+error: Remote modules are not allowed to statically import local modules. Use dynamic import instead.
--- a/cli/tests/integration_tests.rs
+++ b/cli/tests/integration_tests.rs
@ -1686,6 +1686,20 @@ itest_ignore!(cafile_info {
  http_server: true,
 });

+itest!(disallow_http_from_https_js {
+  args: "run --quiet --reload --cert tls/RootCA.pem https://localhost:5545/cli/tests/disallow_http_from_https.js",
+  output: "disallow_http_from_https_js.out",
+  http_server: true,
+  exit_code: 1,
+});
+
+itest!(disallow_http_from_https_ts {
+  args: "run --quiet --reload --cert tls/RootCA.pem https://localhost:5545/cli/tests/disallow_http_from_https.ts",
+  output: "disallow_http_from_https_ts.out",
+  http_server: true,
+  exit_code: 1,
+});
+
 itest!(fix_js_import_js {
  args: "run --quiet --reload fix_js_import_js.ts",
  output: "fix_js_import_js.ts.out",
				`@ -0,0 +1 @@`
				`error: Modules loaded over https:// are not allowed to import modules over http://`